Method And System For Integrating Remote Devices Into A Domestic VLAN

ABSTRACT

A gateway network device may establish secure connections to a plurality of remote network devices using tunneling protocols to distribute to the remote network devices multimedia content received from one or more content providers. The consumption of the multimedia content may originally be restricted to local network associated with the gateway network device. The secure connections may be set up using L2TP protocol, and the L2TP tunneling connections may be secured using IPSec protocol. Use of multimedia content may be restricted based on DRM policies of the content provider. DRM policies may be implemented using DTCP protocol, which may restrict use of the multimedia content based on roundtrip times and/or IP subnetting. Each content provider may use one or more VLAN identifiers during communication of the multimedia content to the gateway network device, and the gateway network device may associate an additional VLAN identifier with each secure connection.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 12/796,152, filed Jun. 8, 2010, pending, and claims priority to and claims benefit from U.S. Provisional Patent Application Ser. No. 61/228,302 filed on Jul. 24, 2009, both of which are incorporated herein by reference in their entirety.

TECHNICAL FIELD

Certain embodiments of the invention relate to networking. More specifically, certain embodiments of the invention relate to a method and system for integrating remote devices into a domestic VLAN.

BACKGROUND

Multimedia playback devices may be utilized to play multimedia streams received from broadcast head-ends and/or content providers. Multimedia streams may be received via wired connections and/or over wireless connections. For example, Television (TV) broadcasts may be transmitted by television head-ends over broadcast channels, via RF carriers. The TV head-ends may comprise terrestrial TV head-ends, Cable-Television (CATV), satellite TV head-ends, and/or Internet Protocol Unicast Multicast, and/or Broadcast head-ends. The TV head-ends may utilize, for example, a set of broadcast channels to facilitate TV broadcast. The TV broadcasts comprise transmission of video and/or audio information, wherein the video and/or audio information may be encoded into the broadcast channels via one of plurality of available modulation schemes. Multimedia streams may also be sometimes broadcasted via the Internet. Internet head-ends may be utilized, for example, to communicate multimedia streaming data, which may correspond to TV broadcasts or to dedicated multimedia content provided exclusively via the Internet, via the Internet based on one or more applicable networking standards, including TCP/IP. To protect against unwanted use and/or copying of broadcast multimedia, use of multimedia content may be restricted by use of Digital Rights Management (DRM) policies. DRM policies may comprise access control technologies that enable content providers to impose geographic limits on use of multimedia content to within homes and/or offices of subscribers.

Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.

BRIEF SUMMARY

A system and/or method is provided for integrating remote devices into a domestic VLAN, substantially as shown in and/or described in connection with at least one of the figures, as set forth more completely in the claims.

These and other advantages, aspects and novel features of the present invention, as well as details of an illustrated embodiment thereof, will be more fully understood from the following description and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a block diagram that illustrates an exemplary communication network that enable distributing of multimedia content from content provides to a plurality of network devices, in accordance with an embodiment of the invention.

FIG. 1B is a block diagram that illustrates exemplary Ethernet packet structures utilized for extending domestic VLAN based connectivity to remote device, in accordance with an embodiment of the invention.

FIG. 2A is a block diagram that illustrates an exemplary gateway management system that enables distributing multimedia content to both local and remote devices, in accordance with an embodiment of the invention.

FIG. 2B is a block diagram that illustrates an exemplary processing subsystem in a gateway management system that enables distributing multimedia content to both local and remote devices, in accordance with an embodiment of the invention.

FIG. 3 is a flow chart that illustrates use of gateway device to distribute multimedia content to remote devices, in accordance with an embodiment of the invention.

DETAILED DESCRIPTION

Certain embodiments of the invention may be found in a method and system for integrating remote devices into a domestic VLAN. In various embodiments of the invention, a gateway network device may establish secure connections with a plurality of remote network devices, utilizing one or more tunneling protocols, to distribute to the plurality of remote network devices via the secure connections multimedia content received by the gateway network device from one or more content providers. The consumption of the distributed multimedia content may originally be restricted to a plurality of local network devices that are communicatively coupled to a local network associated with the gateway network device, and the remote network devices would not originally be authorized to consume the distributed multimedia content prior to the distribution by the gateway network device, due to geographical remoteness. The secure connections may be set up using layer 2 tunneling protocol (L2TP), and these L2TP based tunneling connections may be secured using Internet Protocol Security (IPSec). Use of the multimedia content may be restricted based on a Digital Rights Management (DRM) policy of the content provider. The DRM policy may be implemented using Digital Transmission Content Protection (DTCP) protocol, which may restrict use of the multimedia content based on roundtrip times and/or IP subnets. Each content provider may utilize one or more VLAN identifiers during communication of the multimedia content to the gateway network device. The gateway network device may also associate with each secure connection an additional VLAN identifier that may be used to tag packets used to communicate the multimedia content to the remote network devices. Consequently, multimedia content distribution to remote network devices may comprise communicating double VLAN-tagged packets to the remote network devices during distribution of multimedia content to the remote network devices.

FIG. 1A is a block diagram that illustrates an exemplary communication network that enable distributing of multimedia content from content provides to a plurality of network devices, in accordance with an embodiment of the invention. Referring to FIG. 1A, gateway network device 110, local network devices 112 a and 112 b, remote network device 114, broadband network 122, and service/content providers 124 a and 124 b.

The service/content providers 124 a and 124 b may comprise equipment comprising suitable logic, circuitry, interfaces, and/or code operable to communicate multimedia and/or Internet content via connections 120 a and 120 b, respectively, over backhaul links into the broadband network 122. Multimedia and/or Internet content may comprise voice, audio and/or visual content comprising, video, still images, animated images, and/or textual content. The connectivity between the service/content providers 124 a and 124 b and the broadband network may be provided, for example, via one or more optical, wired, and/or wireless links. One or more of a variety of protocols, such as Ethernet, T1/E1, and xDSL may be utilized for communicating data over the connections 120 a and 120 b. The broadband network 122, may comprise, for example, a satellite network, cable network, DVB network, the Internet, or similar local or wide area networks, which are capable of conveying data which may comprise, but is not limited to, voice, Internet data, and/or multimedia.

The gateway network device 110 may be installed in a location 106 to manage distribution of multimedia content received, for example, via the broadband network 122, from service/content providers 124 a and/or 124 b. The location 106 may correspond to a residence, a multi-tenant property, and/or a commercial property. Exemplary commercial properties may comprise stores, restaurants, offices, or municipal buildings. Exemplary residences may comprise single-family homes, home offices, and/or town-houses. Exemplary Multi-tenant properties may comprise residential and/or commercial tenants such as apartments, condos, hotels, and/or high rises. In this regard, the gateway network device 110 may comprise suitable logic, circuitry, interfaces, and/or code that may enable communication via the broadband network 122. The gateway network device 110 may also comprise suitable logic, circuitry, interfaces, and/or code to enable communicating the received multimedia content to a plurality of network devices, for example local network devices 112 a and/or 112 b, which may be associated with the gateway network device 110 via a local network. The communication of multimedia content from the gateway network device 110 to the local network devices 112 a and/or 112 b may be performed via wired and/or wireless links. Exemplary wireless protocols may comprise one or more cellular standards, such as CDMA, GSM, TDMA, GPRS, EDGE, UMTS/WCDMA, HSDPA, extensions thereto, and/or variants thereof; IEEE 802.11 based standards, and/or WiMAX based standards.

The local network devices 112 a and 112 b may each comprise suitable logic, circuitry, interfaces, and/or code that may be operable to communicate utilizing one or more wired and/or wireless standards. In this regard, each of the local network devices 112 a and 112 b may be operable to transmit and/or receive data via cellular, WiFi, and/or Fiber based links and/or connections to the gateway network device 110. Exemplary local network devices may comprise personal computers (PC), laptop computers, mobile phones, and/or personal multimedia players. The local network devices 112 a and 112 b may receive, process, and/or present multimedia content, and may additionally be enabled to run a web browser or other applications for providing Internet services to a user of the local network device 112 a and/or 112 b.

In some exemplary embodiments of the invention, the gateway network device 110 may be operable to perform one or more functions of a set-top-box. In this regard, the gateway network device 110 may be operable to transmit and/or receive multimedia via a multimedia network such as a satellite television network, a cable television network, and/or a digital video broadcast (DVB) network. Additionally, the gateway network device 110 may be operable to encrypt, decrypt, compress, decompress, encode, decode, transcode, present, scramble, descramble, or otherwise process multimedia content. The gateway network device 110 may then be operable to output multimedia content to the local network device 112 a and 112 b, which may be operable as multimedia devices such as monitors, speakers, and/or storage devices.

The remote network device 114 may comprise suitable logic, circuitry, interfaces, and/or code that may be operable to establish communication links with the gateway network device 110 via the broadband network 122. Exemplary remote network devices may comprise personal computers (PC), laptop computers, mobile phones, and/or multimedia players. In an exemplary aspect of the invention, the remote network device 114 may receive, process, and present multimedia content distributed by the gateway network device 110 via the broadband network 122, and may additionally be operable to run a web browser or other applications for providing interactive access to a user of the remote network device 114.

In operation, the gateway network device 110 may receive multimedia content from one or both of the service/content providers 124 a and 124 b. The gateway network device 110 may be operable to, for example, process received Internet packets, communicated via the broadband network 122, which may comprise multimedia data. The gateway network device 110 may store and/or forward received data to one or more of the local network devices 112 a and 112 b. After processing the received packets, to extract the multimedia content for example, the gateway network device 110 may store and/or forward received data to one or more of the local network devices 112 a and 112 b. For security purposes, use of multimedia content communicated by the service/content providers 124 a and 124 b may be restricted. For example, in instances where the service/content providers 124 a and 124 b may correspond to cable TV providers, use of restriction technologies may ensure that only subscribers may access the communication data, and that the use is further limited to a geographical location—e.g., a residence or an office.

The use of multimedia content may be restricted, for example, by use of Digital Rights Management (DRM) policies. DRM policies may comprise access control technologies that enable content providers to limit use of multimedia content. For example, the Digital Living Network Alliance (DLNA), which represents many manufacturers of consumer electronics, has adapted Digital Transmission Content Protection (DTCP) as their current DRM to enable purchasers of entertainment devices to share multimedia content across home based networks. DTCP is a DRM based technology that aims to restrict digital home technologies, including DVD players and televisions, to permit distribution of such multimedia content to other devices, such as personal computers or portable media players, where these other devices also implement the DTCP.

The DTCP standard imposes various requirements to ensure that distributed multimedia content may be used securely. For example, the DTCP standard imposes a roundtrip requirement, typically 7 milliseconds, for any request for authentication to be honored. Another requirement imposed by the DTCP standard is the use of a single IP subnet—i.e., the requesting device must be on the same subnet as the device that actually receives the multimedia content. An IP subnet may comprise a plurality of networked computers and devices that may have a common, designated IP address routing prefix.

Furthermore, virtual local area network (VLAN) tagging may be utilized used to enable service/content providers to unequally designate their multimedia content. A VLAN may comprise groups of devices that may share a plurality of common requirements, and which may communicate as if they were directly attached regardless of their physical location. Use of VLAN may allow the devices to be grouped together even if they are not located on the same routers and/or switches. For example, each of the service/content providers 124 a and/or 124 b may be associated with one or more VLAN Identifiers (VIDs), which may be utilized to designate packets, which may carry multimedia content, communicated to the gateway network device 110. Based on the VIDs recovered from received packets, the gateway network device 110 may determine the characteristics and/or attributes of corresponding VLAN to which the received packet belongs, and may control its distribution of the multimedia content based on the characteristics, to a plurality of other devices beyond the gateway network device 110 for example. The VIDs used by the service/content providers 124 a and/or 124 b may limit use of the multimedia content to the local network devices 112 a and/or 112 b within the location 106.

In an exemplary aspect of the invention, the gateway network device 110 may be operable to distribute the multimedia content to a plurality of remote network devices, which may normally be prohibited from using that multimedia content. The service/content providers 124 a and/or 124 b may authorize distribution of communicated multimedia content where the gateway network device 110 may be able to ensure secure communication of the multimedia content to a limited group of remote devices. For example, the gateway network device 110 may utilize secure tunneling communications to ensure that a specific group of remote devices may be able to receive and use multimedia content received from service/content providers 124 a and/or 124 b. Various tunneling protocols may be used to enable such tunneling communication. Tunneling protocols may be used to communicate payloads over incompatible and/or un-trusted networks via secure paths. An exemplary tunneling protocol that may be used is Layer 2 Tunneling Protocol (L2TP). The L2TP protocol, however, does not provide any encryption or confidentiality by itself. Accordingly, additional security protocols may be used to provide encryption and/or authentication within the tunnel to ensure security and/or privacy. An exemplary security protocol that may be used in conjunction with the L2TP protocol to provide secure tunneling connections is the Internet Protocol Security (IPSec) protocol. For example, the gateway network device 110 may establish an L2TP/IPSec tunneling based secure connection 116 to the remote network device 114 to enable secured and/or private distribution of multimedia content received from the service/content providers 124 a and/or 124 b to the remote network device 114.

In instances where a VLAN based implementation is used to ensure secured distribution of multimedia content by the service/content providers 124 a and/or 124 b via the gateway network device 110 within the location 106, a secondary VLAN implementation may be used to enable distribution of the multimedia content to remote devices. For example, double VLAN-tagged packets, based on the IEEE 802.1Q-in-Q standard for example, which may comprise two levels of VLAN tagging, may be used to enable expanding the VLAN space managed by the gateway network device 110 to include remote devices, for example remote network device 114. Accordingly, double-tagged packets may be communicated by the gateway network device 110 where a first level of the double-tagging may preserve the VLAN tags used by service/content providers 124 a and/or 124 b, and a second VLAN tag, which may use unique VIDs specified via the gateway network device 110, may be used by the gateway network device 110 to ensure that only specific remote devices, for example remote network device 114, may be permitted to receive multimedia content distributed by the gateway network device 110 external to the location 106. The use of secure tunneling connections and/or VLAN double-tagging may enable the gateway network device 110, where authorized by the service/content providers 124 a and/or 124 b, to overcome and/or simulate the requirements of DRM policies, based on DTCP standard for example, which may otherwise be used to limit distribution of multimedia content to within the location 106 and restrict use of such multimedia content external to the location 106.

FIG. 1B is a block diagram that illustrates exemplary Ethernet packet structures utilized for extending domestic VLAN based connectivity to remote devices, in accordance with an embodiment of the invention. Referring to FIG. 1B, there is shown exemplary Ethernet frames 140, 142, and 144.

The Ethernet frame 140 may comprise, for example, a destination MAC address 150, a source MAC address 152, a type/size field 154, a payload 156, and a cyclic redundancy check (CRC) field 158. The destination MAC address 150 may identify the MAC address for the network device where the Ethernet packet is destined. The source MAC address 152 may identify the MAC address for the network device from which the Ethernet packet was sent. The type/size field 154 may specify the type of Ethernet frame and the size of the payload 156. The payload 156 may comprise the data carried via the Ethernet frame 140. For example, the payload 156 may comprise actual data, and encapsulation headers and/or footers for applicable layers. The size of payload 156 is variable, and is between 46-1500 bytes. The CRC field 158 may be used to enable performing error detection and/or correction, based on the CRC algorithm, during Ethernet based communications.

The exemplary Ethernet frame 142 may represent an alternative structure for Ethernet frames communicated via Ethernet links. Similar to the Ethernet frame 140, the Ethernet frame 142 may also comprise the destination MAC address 150, the source MAC address 152, the type/size field 154, the payload 156, and the CRC field 158. The Ethernet frame 142, however, may additionally comprise a virtual local area network (VLAN) tag field 160, in conformity with IEEE 802.1Q, to generate VLAN tagged Ethernet frames, which may be utilized to enable VLAN routing, where applicable. The VLAN tag field 160 may comprise a VLAN Identifier (VID), and it may be used to facilitate routing of Ethernet packets between devices corresponding to the same VLAN grouping.

The exemplary Ethernet frame 144 may represent yet another alternative structure for Ethernet frames. Similar to the Ethernet frames 140 and 142, the Ethernet frame 144 may also comprise the destination MAC address 150, the source MAC address 152, the type/size field 154, the payload 156, and the CRC field 158. The Ethernet frame 144, however, may additionally comprise an outer VLAN tag field 162 and an inner VLAN tag field 164, in confirming with the IEEE 802.1Q-in-Q, to generate double-tagged Ethernet frames, which may be utilized to expand the VLAN space by enabling broader and/or more flexible packet routing capabilities. Each of the outer VLAN tag field 162 and an inner VLAN tag field 164 may be comprised similar to the VLAN tag field 160 in Ethernet frame 142, and each of may comprise a different VID. The use of outer VLAN tag field 162 and an inner VLAN tag 164 may allow routing Ethernet packets based on two-level VLAN grouping, wherein different routing rules and/or criteria may be applicable to different sub-groups of devices within a larger common VLAN space.

In operation, Ethernet packets, based on one or more of the Ethernet frames 140, 142, and/or 144 may be utilized during operations via the gateway network device 110. For example, packets that may be based on Ethernet frame 140 may be utilized where no VLAN implementation are used. For example, because the gateway network device 110 and the local network device 112 b may have direct connection, Ethernet packets based on the Ethernet frame 140 may be used to exchange data and/or messages.

In instances where a VLAN based implementation may be used, the Ethernet frame 142 may be used instead. For example, VLAN tagging may be used to limit use of multimedia content communicated by the service/content providers 124 a and/or 124 b to the location 106. Accordingly, packets comprising instances of the Ethernet frame 142 may be used to communicate the multimedia content from the service/content providers 124 a and/or 124 b to the gateway network device 110 via the broadband network 122, via VLAN based connections 120 a and 120 b, respectively. The gateway network device 110 may validate the VID parameter in the VLAN tag field 160 in the received packets to ensure that only permitted local devices may receive the multimedia content.

The Ethernet frame 144 may be utilized during secure distribution of multimedia content by the gateway network device 110 to, for example, the remote network device 114. In this regard, Ethernet frame 144 may be used to implement VLAN grouping between the gateway network device 110 and the remote device 114 while at the same time maintaining the VLAN grouping used by the service/content providers 124 a and 124 b to restrict use of communicated multimedia content. For example, the gateway network device 110 may receive multimedia content in Ethernet frames 142 from service/content providers 124 a and 124 b for local consumption in the location 106. To facilitate secure distribution of the multimedia content to the remote network device 114, via L2TP/IPSec secure connections for example, the gateway network device 110 may simply copy the VLAN tag field 160 in Ethernet frame 142 into the inner VLAN tag field 164 in Ethernet frame 142 to preserve content provider VLAN data, including any included unique VIDs. The gateway network device 110 may then set the outer VLAN tag field 162 to ensure secure communication of the Ethernet packet to the remote network device 114. For example, the VID parameter in the outer VLAN tag field 162 may be set to a value associated with the particular secure connection 116 for example.

FIG. 2A is a block diagram that illustrates an exemplary gateway management system that enables distributing multimedia content to both local and remote devices, in accordance with an embodiment of the invention. Referring to FIG. 2A, there is shown a gateway management system 200 comprising a processing subsystem 202 and a communication subsystem 204.

The gateway management system 200 may comprise the processing subsystem 202, the communication subsystem 204, and suitable logic, circuitry, interfaces, and/or code that may enable performing, managing, and/or controlling multimedia content distribution by a gateway network device via a plurality of communication interfaces 206 a, . . . , 206 c. The communication interfaces 206 a, . . . , 206 c may comprise, for example, an optical fiber interface, a twisted pair based interface, a WiFi interface, a WiMAX interface, a cellular interface, a femtocell interface, and/or a satellite interface.

The processing subsystem 202 may comprise suitable logic, circuitry, interfaces, and/or code that may be operable to provide processing operations, including data and/or signal processing, to facilitate communications via the communication subsystem 204. The processing subsystem 202 may also comprise suitable logic, circuitry, interfaces, and/or code that may enable providing management and/or control operations in the gateway management system 200. For example, the processing subsystem 202 may enable generating control signals that may enable controlling transmission and/or reception of packets and/or data via the communication subsystem 204.

The communication subsystem 204 may comprise suitable logic, circuitry, interfaces and/or code that may be operable to perform data and/or packet transmission and/or reception via the plurality of communication interfaces 206 a, . . . , 206 c. While the gateway management system 200 is shown to comprise both processing subsystem 202, the communication subsystem 204, the invention need not be so limited. In some embodiments of the invention, at least some of the components and/or functions described herein, may correspond to external devices and/or systems. For example, dedicated communication systems and/or devices may be utilized to perform the RF communication operations of the communication subsystem 204.

In operation, the gateway management system 200 may be integrated in a device, for example the gateway network device 110, to provide management operations during multimedia content distribution.

The communication subsystem 204 may be operable to enable reception and/or transmission or packets used to communicate multimedia content via the gateway network device 110. One or more of the communication interfaces 206 a, . . . , 206 c may be used to facilitate reception of packets communicated by the service/content providers 124 a and 124 b to the gateway network device 110; while other interfaces may be used to communicated the packets to the local network devices 112 a and/or 112 b, substantially as described with regard to, for example, FIG. 1A.

The processing subsystem 202 may be operable to control and/or manage the operations of the communication subsystem 204, based on, for example, feedback provided via the communication subsystem 204, predefined and/or dynamically determined information, and/or based on input provided to the gateway management system 200, by the gateway network device 110 and/or its user. The processing subsystem 202 may also be operable to provide processing operations during reception and/or transmission of packets carrying multimedia content via the gateway network device 110. For example, the processing subsystem 202 may perform necessary VLAN and/or DRM/DTCP related operations to limit and/or secure use of the multimedia content based on requirement imposed by the service/content providers 124 a and 124 b.

In an exemplary aspect of the invention, the processing subsystem 202 and the communication subsystem 204 may enable secure distribution of multimedia content via the gateway network device 110 to remote network devices. For example, one or more of the communication interfaces 206 a, . . . , 206 c may be used to facilitate communication of packets between the gateway network device 110 and the remote network device 114, via the secure connection 116, substantially as described with regard to, for example, FIG. 1A. In addition, the processing subsystem 202 may be operable to perform, for example, necessary L2TP/IPSec and/or VLAN double-tagging processing that may be required to facilitate communication of otherwise restricted multimedia content from the gateway network device 110 to the remote network device 114 via the secure connection 116.

FIG. 2B is a block diagram that illustrates an exemplary processing subsystem in a gateway management system that enables distributing multimedia content to both local and remote devices, in accordance with an embodiment of the invention. Referring to FIG. 2B, there is shown the processing subsystem 202 comprising a main processor 210, a system memory 212, a signal processing module 214, and a secure tunneling management module 216.

The processing subsystem 202 may comprise the main processor 210, the system memory 212, the signal processing module 214, the secure tunneling management module 216, and/or suitable logic, circuitry, interfaces, and/or code that may enable providing multimedia content distribution management operations as described with regards to FIG. 2A.

The main processor 210 may comprise suitable logic, circuitry, interfaces, and/or code that may enable controlling, managing and/or supporting processing operations in the processing subsystem 202, and/or the gateway management system 200. The main processor 210 may be utilized to control at least a portion of the system memory 212, the signal processing module 214, the secure tunneling management module 216, and/or the communication subsystem 204. In this regard, the main processor 210 may generate, for example, signals for controlling operations within the processing subsystem 202 and/or the communication subsystem 204. The main processor 210 may also enable execution of applications that may be utilized by the processing subsystem 202. The invention need not be limited to a specific processor, and the main processor 210 may comprise for example, a general purpose processor, a specialized processor or any combination of suitable hardware, firmware, software and/or code, which may be enabled to support and/or control operations of the gateway management system 200.

The system memory 212 may comprise suitable logic, circuitry, interfaces, and/or code that may enable permanent and/or non-permanent storage and/or fetch of data, code and/or other information used in the processing subsystem 202 and/or the communication subsystem 204. In this regard, the system memory 212 may comprise different memory technologies, including, for example, read-only memory (ROM), random access memory (RAM), and/or Flash memory. The system memory 212 may be utilized, for example, for storage of configuration data and/or execution code that is utilized by the main processor 210. The system memory 212 may also be utilized to store configuration information which may be utilized to control the operations of at least a portion of the communication subsystem 204.

The signal processing module 214 may comprise suitable logic, circuitry, interfaces, and/or code that may provide dedicated processing operations during transmission and/or reception operations in the gateway management system 200 based on one or more wired and/or wireless interfaces. The signal processing module 214 may enable, for example, processing of baseband signals during reception of RF signals via the communication subsystem 204. The signal processing module 214 may also be operable to generate control and/or processing signals, such as local oscillator signals, to facilitate performing conversion and/or modulation operations during reception of RF signals. Although the signal processing module 214 may be depicted as a single block, the invention need not be so limited. Accordingly, other embodiments of the invention may comprise a plurality of baseband processors for processing signals for one or more available RF transceivers.

The secure tunneling management module 216 may comprise suitable logic, circuitry, interfaces, and/or code that may be operable to establish, manage, and/or control secure connections that be used to enable distribution of multimedia content to a plurality of remote devices.

In operation, the processing subsystem 202 may be operable to control and/or manage the operations of the communication subsystem 204. The main processor 210 and/or the signal processing module 214 may enable configuring of the communication subsystem 204, based on configuration information stored via the system memory 212 for example, to facilitate reception of RF signals via wired and/or wireless interfaces supported via the communication subsystem 204. The main processor 210 may also enable processing feedback provided via the communication subsystem 204, utilizing, for example, predefined parameters stored via the system memory 212, dynamically determined information during processing operations, and/or input provided into the gateway management system 200. For example, the main processor 210 and/or the signal processing module 214 may configure and/or manage the communication subsystem 204 during reception and/or transmission of packets that may be used to carry multimedia content received, and/or distributed by the gateway network device 110.

In an exemplary embodiment of the invention, the secure tunneling management module 216 may be operable to establish and/or manage secure connections that may be used to enable the gateway network device 110 to distribute multimedia content to remote network devices, for example the remote network device 114. For example, the secure tunneling management module 216 may provide control signals and/or data that may enable the main processor 210 and/or the signal processing module 214 to use the communication subsystem 204 to establish and/or use L2TP/IPSec tunneling connection via one or more of the communication interfaces 206 a, . . . , 206 c supported via the communication subsystem 204. In this regard, the secure tunneling management module 216 may perform directly, or manage performance of IPSec encryption and/or L2TP data encapsulation of multimedia content communicated via the secure connection 116 between the gateway network device 110 and the remote network device 114. The secure tunneling management module 216 may also enable performing necessary VLAN double-tagging to facilitate secure distribution of the multimedia content to the remote network device 114. For example, the secure tunneling management module 216 may manage extraction of VIDs from packets based on Ethernet frame 142, received from the service/content providers 124 a and 124 b. The secure tunneling management module 216 may then reuse those extracted VIDs to setup the inner VLAN tag field 164 in packets based on the Ethernet frame 144, which may be used to communicate the multimedia content to the remote network device 114. The secure tunneling management module 216 may setup the outer VLAN tag field 162, in the Ethernet frame 144, which may be utilized to communicate the multimedia content to the remote network device 114 to enable routing those packets to the remote network device 114 via the broadband network 122.

FIG. 3 is a flow chart that illustrates use of gateway device to distribute multimedia content to remote devices, in accordance with an embodiment of the invention. Referring to FIG. 3, there is shown a flow chart 300 comprising a plurality of exemplary steps that may be utilized to enable distribution of multimedia content to remote devices.

In step 302, a gateway network device may receive multimedia content communicated by one or more service/content providers. For example, the gateway network device 110 may receive multimedia content communicated by service/content providers 124 a and/or 124 b, via VLAN based connections 120 a and 120 b, respectively. The multimedia content may be communicated via the Broadband 122, using packets that may be based on the Ethernet frame 142, which may allow the service/content providers 124 a and/or 124 b to set VID parameter in the VLAN tag field 160 to unique values that limit and/or restrict use of the communicated multimedia content. In step 304, the security limitations of received multimedia content may be determined. For example, once the gateway network device 110 receives the packets communicated by the service/content providers 124 a and 124 b, the gateway network device may perform necessary processing operations, via the processing subsystem 202, to determine the security limitation imposed by the service/content providers 124 a and 124 b as to the received multimedia content. The use and/or distribution of the multimedia content may be restricted based on VLAN tagging and/or based on use of DRM policies, including, for example, the DTCP standard.

In step 306, secure connections to remote devices may be setup to enable secure distribution of multimedia content beyond a narrow geographical area to which the use of the multimedia content may otherwise be restricted. For example, the gateway network device 110 may establish the secure connection 116, based on L2TP/IPSec secure tunneling for example, to the remote network device 114 to facilitate distribution of multimedia content that may otherwise be restricted to the location 106. In step 308, the multimedia content may be distributed via secure tunneling connections to remote devices. For example, the gateway network device 110 may distribute multimedia content to the remote network device 114 via the secure connection 116. In an exemplary embodiment of the invention, VLAN double-tagging may be utilized to enable expanding the VLAN space used by the gateway network device 110 securely to the remote network device 114. For example, packets based on the double VLAN-tag Ethernet frame 144 may be used to enable implementing VLAN grouping between the gateway network device 110 and the remote device 114 while at the same time maintaining the VLAN grouping used by the service/content providers 124 a and 124 b to restrict use of communicated multimedia content.

Various embodiments of the invention may comprise a method and system for integrating remote devices into a domestic VLAN. The gateway network device 110 may establish, via the gateway management system 200, secure connections with a plurality of remote network devices, for example secure connection 116 to the remote network device 114, to distribute via the secure connections multimedia content received by the gateway network device 110 from service/content providers 124 a and/or 124 bs 124 a and/or 124 b. The consumption of the multimedia content may originally be restricted to a plurality of local network devices, including the local network devices 112 a and/or 112 b, which may be communicatively coupled to a local network associated with the gateway network device 110 in the location 106. The remote network device 114 may not originally be authorized to consume the distributed multimedia content prior to the distribution by the gateway network device 110, due to geographical remoteness for example. The secure connection 116 may be established using one or more tunneling protocols. The secure connection 116 may be set up using layer 2 tunneling protocol (L2TP), and such L2TP based tunneling connection may be secured using Internet Protocol Security (IPSec). Use of the multimedia content may be restricted based on a Digital Rights Management (DRM) policy of service/content providers 124 a and/or 124 b. The DRM policy may be implemented using Digital Transmission Content Protection (DTCP) protocol, which may restrict use of the multimedia content based on roundtrip times and/or IP subnetting. Each of service/content providers 124 a and/or 124 b may utilize one or more VIDs during communication of the multimedia content to the gateway network device 110. The gateway network device 110 may also associate with each secure connection an additional VID that may be used to tag packets used to communicate the multimedia content to the remote network devices. Consequently, multimedia content distribution to remote network devices may comprise communicating double VLAN-tagged packets, based on the Ethernet frame 144, using the processing subsystem 202 and/or the communication subsystem 204 in the gateway management system 200 to remote network devices during the distribution of multimedia content.

Another embodiment of the invention may provide a machine and/or computer readable storage and/or medium, having stored thereon, a machine code and/or a computer program having at least one code section executable by a machine and/or a computer, thereby causing the machine and/or computer to perform the steps as described herein for integrating remote devices into a domestic VLAN.

Accordingly, the present invention may be realized in hardware, software, or a combination of hardware and software. The present invention may be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods described herein is suited. A typical combination of hardware and software may be a general-purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.

The present invention may also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which when loaded in a computer system is able to carry out these methods. Computer program in the present context means any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) conversion to another language, code or notation; b) reproduction in a different material form.

While the present invention has been described with reference to certain embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the present invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the present invention without departing from its scope. Therefore, it is intended that the present invention not be limited to the particular embodiment disclosed, but that the present invention will include all embodiments falling within the scope of the appended claims. 

What is claimed is:
 1. A method comprising: at a gateway network device, receiving from a provider data defining multimedia content; forming one or more packets including portions of the data defining the multimedia content, including: tagging the one or more packets with a first virtual local area network (VLAN) tag for secure distribution of the multimedia content to first local area network devices; tagging the one or more packets with a second VLAN identifier for secure distribution of the multimedia content to second local area network devices; and distributing the one or more packets.
 2. The method of claim 1 wherein tagging the one or more packets with a first VLAN tag comprises adding a VLAN tag field to the one or more packets to limit the use of the multimedia content received from the provider to network devices in a first location.
 3. The method of claim 2 wherein tagging the one or more packets with a first VLAN tag comprises adding a VLAN tag field to the one or more packets to limit the use of the multimedia content received from the provider to network devices communicatively coupled to the gateway network device.
 4. The method of claim 2 wherein tagging the one or more packets with a second VLAN tag comprises adding a VLAN tag field to the one or more packets to extend the use of the multimedia content received from the provider to network devices in locations other than the first location.
 5. The method of claim 2 wherein tagging the one or more packets with a second VLAN tag comprises adding a VLAN tag field to the one or more packets to extend the use of the multimedia content received from the provider to network devices located remotely from the gateway network device.
 6. The method of claim 1 wherein the second VLAN tag defines a second VLAN group between the gateway network device and the second local area network devices while maintaining a first VLAN group between the gateway network device and the first local area network devices use by the provider to restrict use of the multimedia content to the first local area network devices.
 7. The method of claim 1 further comprising: receiving data defining the first VLAN tag from the provider; copying the data defining the first VLAN tag to the one or more packets.
 8. The method of claim 7 further comprising: receiving one or more Ethernet frames including the data defining multimedia content and the data defining the first VLAN tag; copying the data defining the first VLAN tag to the one or more packets to preserve the secure distribution of the multimedia content to the first local area network devices; and adding to the one or more packets a second VLAN tag to expand secure distribution of the multimedia content to the second local area network devices.
 9. The method of claim 1 further comprising: receiving one or more Ethernet frames including the data defining multimedia content and data defining the first VLAN tag; formatting one or more packets including: copying the data defining the first VLAN tag to an inner VLAN tag field of the one or more packets; adding data defining the second VLAN identifier to an outer VLAN tag field of the one or more packets.
 10. A system comprising: a gateway network device configured to receive, over a network from a provider, data defining multimedia content restricted to use by first network devices on a first network managed by the gateway network device and further configured to communicate to second network devices on a second network managed by the gateway network device double-tagged virtual local area network (VLAN) packets to distribute the restricted multimedia content for use by the second network devices.
 11. The system of claim 10 wherein the gateway network device comprises: a plurality of communication interfaces configured for data communication with the network, the first network and the second network; a communication subsystem in data communication with the plurality of communication interfaces and configured for packet transmission and packet reception via the plurality of communication interfaces; and a processing subsystem in data communication with the communication subsystem and configured to manage communication by the gateway network device.
 12. The system of claim 11 wherein the processing subsystem comprises a secure tunneling management module configured to format the double-tagged VLAN packets by managing extraction of VLAN identifiers from the received data defining multimedia content, reusing the extracted VLAN identifiers and adding a second VLAN identifier to format the double-tagged VLAN packets.
 13. The system of claim 11 wherein a communication interface of the plurality of communication interfaces is configured to receive Ethernet frames over the network from the provider and wherein the processing subsystem is configured to extract from the received Ethernet frames VLAN identifiers associated with the first network to permit use of the restricted multimedia content by the first network devices on the first network managed by the gateway network device and to format a transmission packet with the extracted VLAN identifiers.
 14. The system of claim 10 wherein the gateway network device is configured to format the double-tagged VLAN packets with a first VLAN tag received from the provider and with a second VLAN tag which is operative to enable secure communication of the double-tagged VLAN packets to the second network devices.
 15. The system of claim 14 wherein the gateway network device is further configured to designate a particular connection to a particular second network device as a secure connection and further configured to a particular second VLAN tag to a value associated with the secure particular connection.
 16. The system of claim 14 wherein the gateway network device is configured to format the double-tagged VLAN packets with the first VLAN tag to limit the use of the multimedia content received from the provider to network devices in a first location and to format the double-tagged VLAN packets with the second VLAN tag to extend the use of the restricted multimedia content for use by the second network devices locations other than the first location.
 17. A method comprising: at a gateway network device, establishing one or more secure connections between the gateway network device and one or more remote network devices, the secure connections configured to distribute multimedia content from the gateway network device to the one or more remote network devices; receiving multimedia content from a provider; establishing a virtual local area network (VLAN) group including the gateway network device and a first group of devices to restrict consumption of the received multimedia content to one or more devices communicatively coupled to a local network; associating one or more different VLAN identifiers with each of the one or more secure connections; packetizing the multimedia content into one or more packets for communication via the one or more secure connections; tagging the one or more packets with a different VLAN identifier of the one or more different VLAN identifiers corresponding to a particular secure connection of the one or more secure connections to implement VLAN grouping between the gateway network device and one or more remote network devices of the particular secure connection; and communicating the one or more packets via the particular secure connection to the one or more remote network devices over the particular secure connection while maintaining VLAN grouping used to restrict consumption of distributed multimedia content.
 18. The method of claim 17 wherein receiving multimedia content from a provider comprises receiving multimedia content for which the use of which is restricted based on a Digital Rights Management (DRM) policy of the provider to the VLAN group.
 19. The method of claim 18 wherein communicating the one or more packets to the one or more remote network devices comprises: communicating the one or more packets to devices which were not originally authorized under the DRM policy to consume said multimedia content; and simulating requirements of the DRM policy which otherwise limit distribution of the multimedia content to the VLAN group.
 20. The method of claim 17 wherein establishing the one or more secure connections between the gateway network device and one or more remote network devices comprises setting up one or more secure connections using one of layer 2 tunneling protocol (L2TP) and Internet Protocol Security (IPSec). 